feat: kind:0 NIP-OA as single source of truth for agent ownership (stacked on #1060)#1186
Closed
tellaho wants to merge 3 commits into
Closed
feat: kind:0 NIP-OA as single source of truth for agent ownership (stacked on #1060)#1186tellaho wants to merge 3 commits into
tellaho wants to merge 3 commits into
Conversation
Lift the relay's private extract_single_auth_tag_json into buzz_sdk::nip_oa so relay and desktop enforce identical auth-tag structure (exactly one auth tag, exactly four elements). The relay's identity-archive consent path now calls the shared helper; the duplicated private copy is removed. Adds unit tests for the happy path, ignoring non-auth tags, missing tag, multiple auth tags, and wrong-arity auth tag. Co-authored-by: Taylor Ho <taylorkmho@gmail.com> Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
…olveOaOwner
Drop the custom relay ownership endpoint call (resolve_agent_ownership)
in favor of the live kind:0 NIP-OA proof path (resolveOaOwner), the same
authority the relay now gates observer-frame delivery on. Adapter shape
(agentPubkey, ownerPubkey, isOwner) is preserved so both consumers --
useCanViewAgentActivity and useChannelAgentSessions -- keep reading
.isOwner unchanged. An agent with no kind:0, no auth tag, or a failing
tag resolves to { ownerPubkey: null, isOwner: false }.
Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
… custom ownership endpoint Make the agent's live kind:0 NIP-OA auth tag the single source of truth for agent-activity ownership end-to-end, so relay delivery and desktop visibility agree. Step 3 — remove the custom ownership endpoint: - Delete GET /api/agents/:pubkey/ownership (relay route + api/agents.rs). - Delete the resolve_agent_ownership Tauri command and its registration. - Drop the resolve_agent_ownership e2e mock and agentOwnerIsMe config. Step 4 — align the relay's observer-frame delivery gate: - Add resolve_live_kind0_owner: reads the agent's latest global kind:0, extracts the single well-formed auth tag, and verifies it. - Wire it into the observer gate. Authority order: session NIP-OA fast-path -> live kind:0 proof -> DB cache fallback. - A kind:0 owner mismatch DENIES rather than falling through to the DB, so the DB column can never contradict kind:0. - Keep agent_owner_pubkey (written from NIP-42 AUTH) as a cache/backfill fallback so BYO/CLI agents that AUTH without publishing a profile keep observer delivery. - Add 3 DB-backed tests: owner match, owner flip, absent profile -> None. Co-authored-by: Taylor Ho <taylorkmho@gmail.com> Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Makes each agent's live
kind:0NIP-OAauthtag the single source of truth for agent-activity ownership, end-to-end — so the relay's observer-frame delivery and desktop's visibility gate agree on the same proof. This replaces the custom relay ownership endpoint #1060 introduces.This is the direction Max & Eva converged on in the agent-observability room: the relay was gating delivery on the DB column
agent_owner_pubkey(written from the NIP-42 AUTH event), while a UI gating onkind:0could disagree with what the relay actually ships. This PR closes that gap.The four moves
buzz-sdk::nip_oagets exactly-one-auth-tag extraction (mirrors the relay's existingextract_single_auth_tag_json), so relay + desktop share one helper. +5 unit tests.resolveAgentOwnership→ thin wrapper over the existingresolveOaOwner(livekind:0path). Adapter shape unchanged —useCanViewAgentActivityanduseChannelAgentSessionsboth keep working.GET /api/agents/:pubkey/ownership, its Tauri command + registration, and the e2e mock.kind:0proof. Authority order: session NIP-OA fast-path → livekind:0proof → DB cache fallback. Akind:0owner mismatch DENIES (no DB fallthrough), so the DB can never contradictkind:0.agent_owner_pubkeystays as a cache/backfill fallback so BYO/CLI agents that AUTH without publishing a profile keep observer delivery. +3 DB-backed tests.Policy note (open for tho)
Shipped with the BYO fallback kept — AUTH-only/CLI agents retain observer delivery without publishing a
kind:0. If we'd rather require every owned agent publish akind:0(dropping the fallback for tidier authority), that's a one-line tightening of step 4.Test status
cargo buildclean + 332 tests pass (the 3 new DB-backed tests ran against live Postgres).tsc --noEmitexit 0; no dangling refs to the deleted endpoint/command.Desktop tauri
cargo buildcould not run locally (cmakemissing for theaudiopusnative dep — environment limitation, unrelated to these changes). Please confirm the tauri crate builds in CI.🤖 Stacked PR opened by Ned on behalf of @tellaho.